Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
Andrew Gallagher <andrewg@andrewg.com> Thu, 02 March 2023 13:37 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE2D3C151AF6 for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 05:37:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IAHb4XJSLnOU for <openpgp@ietfa.amsl.com>; Thu, 2 Mar 2023 05:37:17 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15369C152EE1 for <openpgp@ietf.org>; Thu, 2 Mar 2023 05:37:01 -0800 (PST)
Received: from [192.168.3.141] (ip-83-147-167-54.glw.metro.digiweb.ie [83.147.167.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id E05205F4E1 for <openpgp@ietf.org>; Thu, 2 Mar 2023 13:36:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677764219; bh=L2OPBWvhjUte1einzXMPC4w2ZzTEUkgKI8LUjnKNArM=; h=Date:To:References:From:Subject:In-Reply-To:From; b=fLXLm9rsd3ipwEeziEA4oAZNL33BOLbZFfat153TvQZDsHjNpXn1kJid2l/ojGbaL Ky53ewD/7OJpF8QGNTbHremWrfi943I+QezlYgmI/TB/P1Gjb++N+ZqmyawWVvI7nq /E8nilghBQxE1o8PFF26Vd0KHlnJqaKZnTwY3J5M1K7ogQIi+jEjkrfZsVP5JM97Eg Haa+vY1CDBbDso2q26y0mwMV4n7bzTXrMfjuF7GV/o6Z9BKFTE1f81EOABiEc7aZxl o4zeT3fiTc17cJe5fIiB/UyFBtcXn+MeXcuxAM+t3R9jCmZt8nq3jnRXUowpmr9V57 83MYCleKb0HFw==
Message-ID: <c8bc1904-dcaf-6ab9-1f16-85a0a2761c6f@andrewg.com>
Date: Thu, 02 Mar 2023 13:36:57 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.7.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan> <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com> <87lekgs64c.fsf@fifthhorseman.net> <fb3a9276-f948-73dc-af81-46dfa9b02209@andrewg.com> <87a60vbi7n.fsf@europ.lan> <5ba74a57-c039-5ab8-45bc-30ae681bc8c8@andrewg.com> <877cvzbet0.fsf@europ.lan>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <877cvzbet0.fsf@europ.lan>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1570cQjuG2TYE_d9cOlhVgiCokk>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 13:37:22 -0000
On 02/03/2023 10:58, Justus Winter wrote: > > RFC4880 failed to specify a lot of things. I fear that if we enumerate > all of them, and retroactively sanction lenient behavior, that a) we're > going to be here until the end of time, and b) weaken the already weak > requirements that RFC4880 failed to nail down. My proposed wording as of 2023-02-28 did not weaken the requirements of RFC4880, it actually strengthened them by restricting the manner in which malformed signatures could be processed. But you didn't like that one either. > I understand that this is precisely your point: if the spec would > sanction lenient behavior in this case, then that may convince Proton to > support lenient behavior in GopenPGP, and that would enable Hockeypuck > to serve these signatures. Yes. Because I don't believe that it is the role of keyservers to be enforcers in this particular matter. It is keyserver operators who are fielding complaints, not Github, and the answer "nothing we can do, Github is a dumpster fire, blame them" does not satisfy users who just want things to work. Inflexibility is valuable if you apply it consistently from the start so that deviations don't arise in the first place. If you start applying it after twenty years of effective liberalism, you're just breaking things that used to work. Postel's law is flawed, of course. But criticisms of it are framed in the context of synchronous protocols, and continuous improvement. You refuse to tolerate errors because that's the only way that your peers learn to do better. A more appropriate maxim in this instance is "be tolerant of your grandparents, but teach your children properly". There's no value to be gained in refusing to buy a second hand out of print book, because there is no feedback mechanism to cause that book to improve itself. Invalidating a v4 signature on a git commit from 2013 does not encourage github to get in a time machine and fix their commit history. It just makes users angry because you *broke their stuff*. > I assume that with "a significant number of apparently valid but > malformed signatures" you don't mean artifacts produced by openpgp.php, > which I don't believe to be in widespread use. Instead, I think you > refer to the malformed signatures produced by Github. If so, are you > going to propose a similar paragraph for the malformed MPIs? I considered it, but that would further delay the draft over a technicality that did not have any direct consequences for me or my implementation. gopenpgp is already lenient on this matter, so I can live with it. > Both cases are contingent on reading RFC4880 as allowing lenient > behavior, which to this day I fundamentally disagree with. It does not matter whether you think RFC4880 allowed lenient behaviour or not. What matters is that enough other people thought that it did, so there are now permanent facts on the ground that you are powerless to undo. Neither of us LIKE this scenario. I'm just not prepared to punish github users for a historical error that a) they had no hand in, b) has no known security implications, and c) nobody, not even github themselves, can now fix. I would much prefer to do this in a documented and mantainable way. But since it is now clear that no consensus is possible on any further changes of wording, I will no longer pursue it in this forum. I withdraw my proposal. A
- [openpgp] Should signatures be rejected if the em… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Daniel Huigens
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Stephen Farrell
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Daniel Kahn Gillmor
- Re: [openpgp] Should signatures be rejected if th… Justus Winter
- Re: [openpgp] Should signatures be rejected if th… Paul Schaub
- Re: [openpgp] Should signatures be rejected if th… Paul Wouters
- Re: [openpgp] Should signatures be rejected if th… Andrew Gallagher